User management functionality is provided by default in all WSO2 Carbon-based products and is configured in the user-mgt.xml
file found in the <PRODUCT_HOME>/repository/conf
directory. The following documentation introduces the main concepts in User Management, such as users, roles, permissions, user stores etc. and how they are used in WSO2 products.
User management involves defining and managing users, roles, and their access levels in a system. A user management dashboard or console provides system administrators with a high-level view of a system's active user sessions, their log-in statuses, the privileges of each user, and their activity in the system, enabling system admins to make business-critical, real-time security decisions. A typical user management implementation involves a wide range of functionality such as adding/deleting users, controlling user activity through permissions, managing user roles, defining authentication policies, managing external user stores, manual/automatic log-out, and resetting user passwords. Any user management system has the following basic components: RDBMS (for Authentication and Authorization): This RDBMS stores information of the role-based permissions. According to the default configuration in WSO2 products, the embedded H2 RDBMS that is shipped with the product is used as the user store as well as the RDBMS for storing information related to permissions. Realm configuration: The user realm consists of the configurations required to initialise the user realm. The The User Store Manager is responsible for managing the underlying user store. It is represented by the You can write a custom user store manager implementation by implementing The You can find the full schema of these tables from the database script files in the
user-mgt.xml
file stored in the <PRODUCT_HOME>/repository/conf/
directory is used as the realm configuration XML. This includes setting up the User Store Manager, the Authorization Manager and the System Administrator. These configurations are explained below. User Store Manager UserStoreManager
Java interface. There can be different User Store Manager implementations to connect with different user stores, but you can configure only one User Store Manager implementation in a single user realm (that is, a single WSO2 Carbon instance). The User Store Manager can be operated in both read/write mode and read-only mode. In read-only mode, you can only connect with an existing user store. WSO2 products provide the following default User Store Manager implementations:JDBCUserStoreManager
(read and write)LDAPUserStoreManager
(read-only)ApacheDSUserStoreManager
(read and write)UserStoreManager
or by extending AbstractUserStoreManager
or one of the default implementations.Using JDBCUserStoreManager
JDBCUserStoreManager
class uses a schema that is specific to WSO2 Carbon. It contains the following tables:<PRODUCT_HOME>/dbscripts
directory. Note that these scripts also contain schemas for other tables that are used for user management and registry functions. If your organization contains an existing JDBC user store that you want to use with a WSO2 product, you must extend JDBCUserStoreManager
and write a new implementation for your user store according to your schema.Authorization Manager The Authorization Manager uses role-based access control (RBAC) to protect resources related to the WSO2 Carbon platform. The default implementation of the Authorization Manager is JDBCAuthorizationManager
, which uses a permission model specific to WSO2 Carbon and uses the authorization data that is stored in tables in the JDBC database. You can replace this implementation with a custom implementation (for example, if you want to use a XACML authorization manager) and use it with WSO2 products.System Administrator The system admin user is typically the super tenant user, who by default has permission to perform all administration tasks in the server. The admin user will thereby create other tenant users and define roles with permissions. Once this is done, the other tenant users will be able to log in to their respective tenant domains and use the server according to the permissions that have been granted. Note that the permissions granted to the Super Tenant user cannot be modified. Related Topics
- Configuring the User Realm: This topic explains how you can set up and configure the user management realm.
- Managing Users, Roles and Permissions: This topic explains how you can manage the Users, Roles and Permissions using the Management Console.